Hi all,
I am having a slight problem with a before filter. I have a page
that calls a before filter to create a set of methods to call my
report generator based on if the person has permissions to the
report. In development it seems to work fine, but in production I
Only have access to one of the reports, It tells me that no action
responded to the particular method being called. Being that I can
get to the fist report, I know that it is working but failing on the
second time through the loop.
code in the controller looks like this;
########################################################################################
before_filter :create_report_methods
def create_report_methods
Report.find_all.each do |r|
HomeController.send :define_method, "report_#{r.id}" do
redirect_to("http://onetruth:8080/birt/frameset?
__report=#{r.name}.rptdesign")
end unless ReportMembership.find(:first,:conditions =>
["report_id = ? and memberable_type = ''TeamMember'' and
memberable_id
= ?", r.id, TeamMember.get_team_member.id]).nil? and
ReportMembership.find_by_sql(["select * from report_memberships as rm,
team_members as tm, departments as d, department_memberships as dm
where rm.memberable_type =''Department'' and rm.memberable_id =
d.id and
d.id = dm.department_id and dm.team_member_id = tm.id and tm.id = ?
and report_id = ?",TeamMember.get_team_member.id, r.id]).first.nil?
end
end
###########################################################################################
It works as expected in development, so my question is could another
user be going to the site through mongrel and changing the methods I
have? Any help is appreciated with this issue of mine. (I will post
the log entries once I find them, I am working in production on a
test system)
White Wizzard
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
On 22 Jan 2008, at 14:00, White Wizzard wrote:> > Hi all, > I am having a slight problem with a before filter. I have a page > that calls a before filter to create a set of methods to call my > report generator based on if the person has permissions to the > report. In development it seems to work fine, but in production I > Only have access to one of the reports, It tells me that no action > responded to the particular method being called. Being that I can > get to the fist report, I know that it is working but failing on the > second time through the loop. >> > code in the controller looks like this; > > ######################################################################################## > before_filter :create_report_methods > > def create_report_methods > Report.find_all.each do |r| > HomeController.send :define_method, "report_#{r.id}" do > redirect_to("http://onetruth:8080/birt/frameset? > __report=#{r.name}.rptdesign") > end unless ReportMembership.find(:first,:conditions => > ["report_id = ? and memberable_type = ''TeamMember'' and memberable_id > = ?", r.id, TeamMember.get_team_member.id]).nil? and > ReportMembership.find_by_sql(["select * from report_memberships as rm, > team_members as tm, departments as d, department_memberships as dm > where rm.memberable_type =''Department'' and rm.memberable_id = d.id and > d.id = dm.department_id and dm.team_member_id = tm.id and tm.id = ? > and report_id = ?",TeamMember.get_team_member.id, r.id]).first.nil? > end > end >yuck.> ########################################################################################### > It works as expected in development, so my question is could another > user be going to the site through mongrel and changing the methods I > have? Any help is appreciated with this issue of mine. (I will post > the log entries once I find them, I am working in production on a > test system)Quite possible. Another difference between development and production is that in development the classes are reloaded on each request. I have to wonder why you need a convoluted design like this, rather than have a single report action that generates the right thing base on the id parameter. Fred --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
The thought behind this is for security reasons, if the user has a report method that parameters are passed to, a person could easily get a hold of reports that he should not be able to see. If I query the database, like I am doing here, I still run the risk of someone getting to the report. If I use everything behind the scenes like I currently am and define a method to called each report based on if you have permissions on that report it seems a little more secure than passing a number to a report function. I also don''t have to error check to see if the id is an integer and all the other fun stuff that goes along with that. Anyways my boss liked it better this way. Also I noticed that I have permissions on all reports and I can only get to the first report, not the others that I have permission to. There is one other person that has permission has the same as I do. This is perplexing me a little bit. White Wizzard --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
BTW I do know that I need to refactor this code to prevent some CS attacks by taking and moving the finds into the models.. . WW On Jan 22, 12:50 pm, White Wizzard <The.White.Wizz...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> The thought behind this is for security reasons, if the user has a > report method that parameters are passed to, a person could easily get > a hold of reports that he should not be able to see. If I query the > database, like I am doing here, I still run the risk of someone > getting to the report. If I use everything behind the scenes like I > currently am and define a method to called each report based on if > you have permissions on that report it seems a little more secure than > passing a number to a report function. I also don''t have to error > check to see if the id is an integer and all the other fun stuff that > goes along with that. > > Anyways my boss liked it better this way. Also I noticed that I have > permissions on all reports and I can only get to the first report, not > the others that I have permission to. There is one other person that > has permission has the same as I do. This is perplexing me a little > bit. > > White Wizzard--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 22 Jan 2008, at 17:50, White Wizzard wrote:> > The thought behind this is for security reasons, if the user has a > report method that parameters are passed to, a person could easily get > a hold of reports that he should not be able to see. If I query the > database, like I am doing here, I still run the risk of someone > getting to the report. If I use everything behind the scenes like I > currently am and define a method to called each report based on if > you have permissions on that report it seems a little more secure than > passing a number to a report function. I also don''t have to error > check to see if the id is an integer and all the other fun stuff that > goes along with that. >You''re adding no security, but you are adding rather a lot of complexity (and of course once you''ve added the methods for one user they''ll be there for every user. Of course you won''t notice that in development because classes are reloaded, so that a hole waiting to bite you) If user has_many :reports (via some join model that models who has been give access to what) then it''s as easy as report = @logged_in_user.find(params[:id]) if report report.run else #oops, you don''t have access to that report end Fred> Anyways my boss liked it better this way. Also I noticed that I have > permissions on all reports and I can only get to the first report, not > the others that I have permission to. There is one other person that > has permission has the same as I do. This is perplexing me a little > bit.> > > White Wizzard > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---